A certificate system provides a security framework to ensure that network resources are accessed by authorized users. The certificate system is capable of generating digital certificates for different users to verify the identity of a presenter. The certificate system can include a Certificate Authority (CA) subsystem to issue and revoke certificates and an Online Certificate Status Responder subsystem to verify whether a certificate is valid. Revoked certificates are certificates that are no longer valid and should no longer be relied upon. A certificate revocation list (CRL) is a list of the revoked certificates and is published by the CA that issued the certificates.
A certificate authority supports the Online Certificate Status Protocol (OCSP). OCSP enables OCSP-compliant clients to determine the state of a certificate, including the revocation status, without having to directly check a certificate revocation list (CRL) published by a CA. An OCSP-compliant client can send a certificate status request to a validation authority, such as an OCSP responder. The OCSP responder can check the status of the certificate for the OCSP-compliant client and return one of three possible statuses: ‘good,’ revoked,′ or ‘unknown.’ A client can proceed according to a client policy based on the received response.
Not all clients, however, may be OCSP-compliant. Non-OCSP compliant clients may not simply send a status request to an OCSP responder, and instead, must request a copy of a certificate revocation list from a certificate authority. However, a CA may have a significant number of client requests for certificate revocation lists to verify certificate status. A large number of requests can greatly burden the CA resources, and thus, have a negative affect on the performance of a CA.